CVE-2024-1442

MEDIUM severity · CVSS 6 · Improper privilege management

6CVSS MEDIUM

Summary

A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *. Doing this will grant the user access to read, query, edit and delete all data sources within the organization.

Impact & exploitability

Attack vectorNetwork

Attack complexityLow

Privileges requiredHigh

User interactionNone

Confidentiality impactHigh

Integrity impactLow

Availability impactLow

Exploit probability (EPSS)0%

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L

Affected products we track (1)

Grafana

Recommendation

Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.

Additional information

NVD record
https://grafana.com/security/security-advisories/cve-2024-1442/Advisory
https://grafana.com/security/security-advisories/cve-2024-1442/Advisory
https://security.netapp.com/advisory/ntap-20241122-0007/Advisory